Openclaw

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a disclosed external discovery/router helper, with no malware telemetry or artifact-backed evidence of hidden execution, persistence, credential access, or destructive behavior.

Install only if you want a broad service-discovery/router skill. Be mindful that vague requests like finding or showing options may be routed externally; avoid including private, account, financial, or confidential details unless you intend to share them with the provider.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The skill instructs invocation for very broad intents such as finding, comparing, buying, or contacting nearly any service not covered elsewhere. That breadth can cause over-invocation on ambiguous user requests, unnecessarily sending user queries to an external catalog/router and increasing privacy, consent, and misrouting risk.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The listed trigger phrases include generic language like 'find me', 'show me', 'dame', and 'consígueme', which commonly appears in ordinary conversation and many non-marketplace tasks. In an agent environment, such vague triggers can cause the skill to activate unexpectedly, forwarding user content to a third-party service when the user did not clearly ask for external discovery.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal